This is pertaining to the UPI Payment system in India.
I am using the sample code at https://developers.google.com/pay/india/api/android/in-app-payments to initiate Google Pay App to make UPI Payment. And everything is working fine.
My concern is:
- As all this is at the client end (mobile app), a user (say, hacker) may generate random response values and invoke the server URL to tell the server that the payment is successful. How can I prevent that? How can I ensure that the payment was actually made?
In the provided example, there is a query parameter "url", does Google's server call this URL to update the payment status?
I tried, but nothing happened (I created a page which saves the page URL (Request.RawUrl) in a text file, but on payment the page was not called).
May be Google does call this URL (and I missed something), may be it does NOT; can anyone confirm.
Repeat: My actual problem is how to prevent a hacker from fooling the server that the payment is made successfully.
Note: This is to be my first app, so banks are not ready to provide API/UPI integration.
Paytm provides an api to check transaction status, so not a problem with that.
If not a direct solution, any way around will also work as long as it prevents me from manually checking bank statements.
TIA.
